FC4 documentation for apache + selinux ?
Paul Howarth
paul at city-fan.org
Thu Jan 5 15:17:10 UTC 2006
Timothy Murphy wrote:
> Paul Howarth wrote:
>
>
>>>I looked at "Understanding and Customizing the Apache HTTP SELinux
>>>Policy" at <http://fedora.redhat.com/docs/selinux-apache-fc3/index.html>,
>>>but the changes between FC3 and FC4 seemed to make much of this
>>>irrelevant.
>>>
>>>Is there a corresponding document for FC4?
>>
>>Most of the principles remain the same in FC4. I think the biggest
>>single thing that you need to remember is that FC4 uses the "targeted"
>>policy by default, whilst the examples in the document are for the
>>"strict" policy. Do the appropriate substitutions in examples and most
>>things will work.
>
>
> Some suggestions in this document which did not work for me under FC4.
> (I did not run selinux under FC3.)
>
> 1) "Your first step is to install the httpd package, and probably the
> httpd-suexec and httpd-manual packages."
>
> There does not seem to be an httpd-suexec rpm for FC4.
The suexec program is contained within the main httpd package in FC4, so
that's indeed a difference.
> 2) By default, SELinux enforcement for Apache HTTP is enabled. To verify
> this, run system-config-securitylevel, and view the SELinux tab. Click on
> the Transition tree, and ensure that Disable SELinux protection for httpd
> daemon is not checked.
>
> What is the "Transition tree"?
> Does this mean the list of "Trusted services"?
> (If so, why not say that??)
>
> In my case https and http have check-marks against them.
> But what exactly does "Trusted services" mean?
> Does it mean that selinux trusts these services,
> and so does not concern itself with them?
> Or does it mean the opposite,
> that selinux _is_ looking after them?
>
> And what on earth does "Enforcing current Disabled" mean
> when I click the SELinux tag?
I can't answer these personally as I use the command-line tools rather
than the GUI. Hopefully Dan will follow up on that.
> 3) " As a further check, use the command ps axZ | grep httpd.
> You should see it running in the root_u:system_r:httpd_t security context.
> The important part of that is the third component, the httpd_t type."
>
> When I run this command, I do not get this response,
> or anything like it:
> -------------------------------
> [tim at alfred ~]$ ps axZ | grep httpd
> kernel 13047 ? Ss 0:00 /usr/sbin/httpd
> kernel 24171 ? S 0:00 /usr/sbin/httpd
> kernel 24172 ? S 0:00 /usr/sbin/httpd
> kernel 24173 ? S 0:00 /usr/sbin/httpd
> kernel 24174 ? S 0:00 /usr/sbin/httpd
> kernel 24175 ? S 0:00 /usr/sbin/httpd
> kernel 13204 pts/3 S+ 0:00 grep httpd
> -------------------------------
What's the output of:
# getsebool -a | grep httpd
Paul.
More information about the selinux
mailing list